cvedb.io
CVE-2026-1439
MEDIUM · CVSS 6.1
EPSS exploitation probability: 0%
Published 2026-02-18T14:16:06.290 · Last modified 2026-06-17T10:15:47.497

Summary

Reflected Cross-Site Scripting (XSS) vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker to inject and execute arbitrary JavaScript code when a user visits a specially crafted URL. Exploitation of this vulnerability may allow script execution in the victim's browser and limited manipulation of the affected user's session context, through the  '/ alerts /' endpoint.

Affected products

graylog — graylog

Does this affect you?

Add your gear to cvedb and we'll alert you only when graylog ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.